Configure sudo user

Edit online

In an environment that demands high security measures in place, the systems admin can create sudo user in PowerVC. A sudo user has roles and privileges similar to a root user but with a limited scope for PowerVC operations.

Creating a sudo user

The system admin can create a user on all PowerVC controller nodes. Later, add user to the wheel group (assigning the user as sudo user).

Add special permission for passwordless sudo access such that PowerVC OpsMgr can run commands as users: root, pvc_internal group: pvcservices but limiting the commands as mentioned.
  • /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/libexec/platform-python*
  • /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/bin/python*
  • /usr/bin/rsync *
You can add the following to /etc/sudoers or equivalent to restrict execution of the commands.
 
<sudo_user_username>\tALL=(root, %pvcservices, pvc_internal)\tNOPASSWD: /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/libexec/platform-python*, /bin/sh -c echo BECOME-SUCCESS-[a-z]* ;*/usr/bin/python*, /usr/bin/rsync *, /usr/sbin/crm_resource -Q*, /opt/ibm/powervc/ttv-validation/powervc-validator*

Considerations

  • A sudo user must have same password on all nodes.
  • Provide sudo user login details during inventory creation.
  • To run the powervc-config command as a non-root or sudo user, make sure to export powervcrc from the source /opt/ibm/powervc/powervcrc location by updating the username and password. Then, run the sudo -E powervc-config compute command.
  • If installation is performed as a sudo user, login will work with only sudo user.
    Example
    sudo powervc-services status or sudo powervc-validate --start
    Output
    [user1@vm-1376 ~]$ sudo powervc-cloud-config policy-list
[sudo] password for user1:
Enter password for root:
No cloud policy set by admin for project: ibm-default
DEFAULT POLICY SET:
 project_id: 51eb7853a18a457b9cdd8636686adb75,
 project_name: ibm-default,
 policy_type: default_expiration_days,
 value: 30